topic Re: IOS content filtering in Network Security

IOS content filtering

tachyon05 — Mon, 11 Mar 2019 17:41:08 GMT

This link has a good example on how to configure CISCO IOS Content Filtering http://supportforums.cisco.com/docs/DOC-8028

i copied and pasted the config on to a 1941W router and it worked. however, i found that the router could go in and out of the "allow mode" regularly (like every few minutes). below is example. during the allow mode, content filtering is basically turned off and users can hit any site. I don't want to turn off the allow mode, but is there a way to minimize the # of times the router goes into allow mode?

May 4 14:41:03.218: %URLF-3-ENTER_ALLOW_MODE: URLF classification request timed out, the router is entering allow mode.
May 4 14:42:05.458: %URLF-5-LEAVE_ALLOW_MODE: Connection to an URL filter server is made, or subscription for URLF service is renewed. The router is returning from ALLOW MODE
May 4 14:42:07.786: %URLF-3-ENTER_ALLOW_MODE: URLF classification request timed out, the router is entering allow mode.
May 4 14:43:08.035: %URLF-5-LEAVE_ALLOW_MODE: Connection to an URL filter server is made, or subscription for URLF service is renewed. The router is returning from ALLOW MODE
May 4 14:46:39.144: %URLF-3-ENTER_ALLOW_MODE: URLF classification request timed out, the router is entering allow mode.
May 4 14:47:39.388: %URLF-5-LEAVE_ALLOW_MODE: Connection to an URL filter server is made, or subscription for URLF service is renewed. The router is returning from ALLOW MODE

Re: IOS content filtering

Panos Kampanakis — Wed, 05 May 2010 16:31:03 GMT

What you see is happening is because the router cannot contact the trps.trendmicro.com to ask for the category of the sites in order to allow them or not.

You can use option "server {server-name | ip-address} [outside] [port port-number] [retrans retransmission-count] [timeout seconds]" under the "parameter-map type urlfpolicy trend dynamic-parameters" to change the timeout and wait for more time until you declare the "allow-mode on".

But that will not fix the underlying problem which is probably connectivity to trps.trendmicro.com. Try using either of the ip addresses 216.104.8.100, 216.99.133.100 ("ip host trps.trendmicro.com 216.99.xxx" command on the router) and see what the response times are and see if you can chose the one that is the best for you and if that fixes the issue.

I hope it helps.

Re: IOS content filtering

tachyon05 — Thu, 06 May 2010 20:57:28 GMT

i tried to not use the ip domain lookup on the router, and added ip host trps.trendmicro.com 216.99.133.100 216.104.8.100 and
ip host crl.geotrust.com 69.58.183.143. however, the router still continues to go in and out of the allow mode.

i also tried what you said, and found out that from the router,

216.104.8.100's average round trip back to router is 81ms

216.99.133.100's average round trip back to router is 4 ms.

therefore, i reconfigured the ip host trps.trendmicro.com to include only the 216.99.133.100. thinking it will be faster, but the result is still the same.

any other suggestions?

thanks